Cases in Point

March 2016 — North Memorial Health Care agreed to pay the U.S. Department of Health and Human Services (HHS) $1,550,000 to settle charges that it potentially violated HIPAA Privacy and Security Rules by failing to implement a BAA with a major contractor and failing to institute an organization-wide risk analysis.

April 2016 — Raleigh Orthopedic Clinic, P.A. of North Carolina agreed to pay HHS $750,000 to settle charges that it potentially violated the HIPAA Privacy Rule by handing over PHI for approximately 17,300 patients to a potential business partner without first executing a BAA.

September 2016 — Care New England Health System agreed to pay HHS $400,000 for failing to update an existing written BAA on behalf of each of the covered entities under its common ownership or control in a timely manner. The BAA was issued in March 2005 and not updated until August 2015. In 2012, one of their covered entities discovered unencrypted backup tapes containing electronic PHI were missing.

April 2017 — The Illinois-based Center for Children’s Digestive Health agreed to pay HHS $31,000 for failing to have a BAA with a company they hired to store records containing PHI.

Take Corrective Action

The lesson here is to do now what these entities should have done, in the first place:

Develop, maintain, and revise policies and procedures to comply with HIPAA Privacy and Security Rules;

Designate a responsible individual to ensure BAAs are in place prior to disclosing PHI to a business associate;

Renee Dustman, BS, AAPC MACRA Proficient, is an executive editor at AAPC. She holds a Bachelor of Science degree in Media Communications - Journalism. Renee has more than 20 years experience in print production and content management. Follow her on Twitter @dustman_aapc.

Renee Dustman, BS, AAPC MACRA Proficient, is an executive editor at AAPC. She holds a Bachelor of Science degree in Media Communications - Journalism. Renee has more than 20 years experience in print production and content management. Follow her on Twitter @dustman_aapc.